![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
Overview:
Platform SSO is a Microsoft Entra feature that enhances the Microsoft Enterprise SSO plug-in uses hardware-bound cryptographic keys and the SSO app extension.
When the device receives the policy, there's a Registration required notification that shows in the Notification Center.
End users select this notification, sign in to the Microsoft Entra ID plug-in with their organization account, and complete multi-factor authentication (MFA), if required.
Secure Enclave has more features than the Password method
- Passwordless (phishing resistant)
- TouchID supported for unlock
- Can be used as passkey
- MFA mandatory for setup
- Supported on macOS 14.x +
- Optionally, allow new users to log in with Entra ID credentials (macOS 14.x +)
One feature that is not allowed is "Local Mac password synced with Entra ID" as designed.
Pre-Requisites:
Ensure that per-user MFA is not enabled for users. Transition to Conditional Access MFA in accordance with Microsoft Entra ID recommendations.
Recommended Assignment Target:
Assign to All Devices, exclude Shared Devices
Variable Settings:
| Name | Purpose | Type | Default Value |
| LAPS Admin Username | The list of local accounts that aren't subject to FileVault Policy, Login Policy, or Unlock Policy. | array of strings | ["ladvc"] |
Base Settings:
| Setting | Description | Value |
| Extension Identifier | The bundle identifier of the app extension that performs SSO for the specified URLs. | com.microsoft.CompanyPortalMac.ssoextension |
|
TeamIdentifier |
The team identifier of the app extension. This key is required on macOS and ignored elsewhere. |
UBF8T346G9 |
| Type | The type of SSO. | Redirect |
| Screen Locked Behavior | If set to Cancel, the system cancels authentication requests when the screen is locked. If set to DoNotHandle, the request continues without SSO instead. | DoNotHandle |
| URLs | An array of URL prefixes of identity providers where the app extension performs SSO. Required for Redirect payloads. | https://login.microsoftonline.com, https://login.microsoft.com, https://sts.windows.net, https://login-us.microsoftonline.com, https://login.microsoftonline.us, https://login.usgovcloudapi.net |
| Platform SSO Use Shared Device Keys | If true, the system uses the same signing and encryption keys for all users. Only supported on the device channel. | True |
| Platform SSO Account Display Name | The display name for the account in notifications and authentication requests. | Microsoft Entra ID |
| Platform SSO Authentication Method | The Platform SSO authentication method to use with the extension. Requires that the SSO Extension also support the method. | User Secure Enclave Key |
| Extension Data browser sso interaction enabled | Keys and values to pass to the app extension. | 1 |
| Extension Data disable explicit app prompt | Keys and values to pass to the app extension. | 1 |
| Extension Data App Prefix Allow List | Keys and values to pass to the app extension. | com.microsoft.,com.apple. |
| Registration Token | The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. |
More Info:
Platform SSO configuration guide for macOS devices using Microsoft Intune
Protecting keys with the Secure Enclave